Alex Morgan — Threat Intelligence Analyst
Key Takeaways
- AgentTesla has emerged as a significant threat to organizations, leveraging sophisticated phishing tactics.
- Lateral movement techniques observed include using legitimate credentials obtained through keystroke logging.
- Command and Control (C2) infrastructure has demonstrated resilience through the use of dynamic DNS and IP rotation.
Executive Summary
In our recent analysis of a reported AgentTesla campaign, we observed a well-coordinated attack vector exploiting common phishing methodologies. The threat actor used counterfeit emails containing malicious attachments, leading to widespread infection across multiple sectors. AgentTesla, a notorious infostealer, is known for its ability to capture sensitive user information, including credentials and personal data. During the investigation, we traced the infection chain from initial access through execution and eventual impact, providing valuable insights into the actor’s TTPs.
Initial Access
The attack started with a spear-phishing email campaign. The messages appeared to be legitimate, often mimicking communications from well-known services or internal departments. The emails contained attachments that, when opened, executed a malicious script. We observed that the initial payload was a Microsoft Excel file, with a macro written in Visual Basic for Applications that, upon user enablement, downloaded the AgentTesla binary from a remote server. The filenames used varied, but typical patterns included innocuous-sounding names like `Invoice.xlsx` or `Report.docm`.
Execution & Persistence
Upon successful infection, the malware executed via the following script execution path: %APPDATA%\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AgentTesla.exe. This persisted during reboots by placing its executable in the Startup folder. Our analysis revealed that the actor employed a base64 encoded payload that the malware decoded and executed in memory, enhancing its stealthiness and making detection by standard antivirus solutions challenging. Furthermore, AgentTesla utilized an encrypted configuration file stored in the system’s temporary directory that held C2 information and operational parameters.
Command and Control
AgentTesla’s C2 communication occurred over HTTPS, leveraging dynamic DNS services to obscure the command-and-control servers. The malware periodically beaconed to various endpoints, rotating through a list of known IP addresses. We retrieved multiple URLs from the configuration file, alluding to the actor’s strategic redundancy in the C2 infrastructure, making it difficult for defenders to block traffic. Notable domains included `dns1.example.com` and `dns2.example.com`, which were frequently changed to mitigate takedown efforts. A substantial amount of traffic was logged displaying patterns consistent with T1071.001 – Application Layer Protocol: Web Protocols.
Lateral Movement & Discovery
The actor’s lateral movement was highly sophisticated. Utilizing credentials harvested from the infected endpoint, we discovered instances where the actor employed T1550.001 – Use Alternate Authentication Material to gain access to additional network shares. Tools like PowerShell and PsExec were used to deploy AgentTesla onto other systems within the network, utilizing valid credentials obtained through the keystroke logger functionality of the malware. Lateral movement tactics also indicated the usage of T1080 – Taint Shared Content to ensure that subsequent users of shared drives became further compromised.
Impact & Objectives
The immediate impact of the infection was the data exfiltration of sensitive documents, usernames, and passwords, which the malware captured and sent back to the actor’s C2. We observed that the exfiltrated data primarily targeted areas such as finance and HR, indicating potential corporate espionage or identity theft motives. Furthermore, trace remnants of previously present malware, suggesting a multi-stage infection, hinted at a broader objective of establishing a persistent foothold in the compromised networks. This scenario aligns with the motivations classified under Initial Access and Credential Access, underscoring the operational intent of the threat actor.
MITRE ATT&CK Mapping
- T1566 – Phishing: The delivery method utilized phishing emails containing malicious attachments to gain initial access.
- T1203 – Exploitation for Client Execution: The infection vector involved exploiting user action on a malicious document containing VBA macros.
- T1071.001 – Application Layer Protocol: Web Protocols: The malware communicated with its C2 infrastructure over HTTPS.
- T1550.001 – Use Alternate Authentication Material: Credential theft facilitated lateral movement through valid user accounts.
Detection Opportunities
- Monitor emails for malicious attachments, especially those using Excel with macros enabled.
- Employ behavioral analysis to detect unusual PowerShell commands or PsExec usage across the network.
- Implement network monitoring solutions to recognize patterns in HTTPS traffic indicative of C2 communication.
Analyst Notes
This analysis highlights the adaptability and stealth of the AgentTesla campaign. As defenders, continuously evolving detection mechanisms are essential to combat such sophisticated threats. Maintaining user education regarding phishing and ensuring strict controls over macro execution in document handling are crucial measures in mitigating risks associated with these attacks. Future observations will need to focus on the evolution of the malware and its potential variants, as many actors modify existing threats to exploit specific organizational vulnerabilities.
Source: Original Report